Recently fixed vulnerabilities in Sun's Java Runtime Environment and Adobe's Flash player mean that unpatched systems are vulnerable and could be infected with spyware or recruited into a botnet by simply visiting a Web page with exploit code -- and Google last month warned that 10 percent of Web sites contain this kind of malicious code.
IT professionals have been warned to patch vulnerabilities in the Adobe Flash Player application and Sun Java Runtime Environment as soon as possible.
The vulnerabilities mean that employees can get "hacked just by viewing a Web page that contains malicious Flash or Java content", warned antivirus company F-Secure in its blog.
Both Adobe and Sun issued patches for the vulnerabilities in updates last week. The Adobe update addresses an input validation error in Flash Player version 184.108.40.206 and earlier versions that could lead to the potential execution of arbitrary code.
The Sun update links to a patch for a buffer overflow vulnerability in the image-parsing code in the Java Runtime Environment that may allow an untrusted applet or application to elevate its privileges.
The flaw in the Java Runtime Environment could be particularly serious if left unpatched, according to Chris Gatford, a security professional from penetration-testing firm Pure Hacking.
"Java runs on everything: cell phones, PDAs and PCs. This is the problem when you have a vulnerability in something so modular -- it affects so many different devices," Gatford told ZDNet Australia.
"Also, this exploit is browser independent, as long as it invokes a vulnerable Java Runtime Environment," Gatford added.
ZDNet Australia's Liam Tung contributed to this report.
Tom Espiner reported for ZDNet UK from London